A new zero-day vulnerability that was recently found to be affecting the popular Java logging library Apache Log4j is already being exploited in the wild, with a POC released publicly on GitHub. This vulnerability allows for unauthenticated remote code execution that could allow for full control of servers. Not only are versions 2.0 through 2.14.1 of Log4j at risk, but some Java programs are likely to be affected as well. Researchers from LunaSec wrote a blog post stating “Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short.”
Researchers have advised that organizations using the affected versions of Apache Log4j investigate for possible compromise. It is also advised to upgrade to log4j-2.15.0-rc1 as soon as possible. If immediate patching is not possible, researchers have developed a temporary mitigation that can be applied:
The following parameter should be set to true when starting the Java Virtual Machine: log4j2.formatMsgNoLookups
Analysis for this vulnerability is ongoing as more information is discovered.